CompTIA quietly retired the CASP+ name in 2024 and rebranded the exam to SecurityX (CAS-005). If you've been searching "CompTIA CASP" and landing on outdated study guides still referencing CAS-004, that's why nothing quite adds up. This guide covers both versions—what changed, what stayed the same, and whether this certification is actually worth 10–15 weeks of your life.
What Is CompTIA CASP+ and How Does It Differ from SecurityX?
CompTIA CASP+ (Advanced Security Practitioner) was the certification code for exam CAS-004, which retired in April 2025. Its replacement, CAS-005 / SecurityX, covers largely the same territory but with heavier emphasis on AI-driven threats, zero-trust architecture, and supply chain risk—topics that were peripheral in CAS-004 but are now core exam domains.
If you bought study materials before mid-2024, check the exam code. CAS-004 and CAS-005 share significant overlap—enterprise security architecture, risk management, cryptography, incident response—but CAS-005 adds roughly 15% new content that older prep courses won't cover. A score report from a CAS-004 exam is still recognized by DoD 8570/8140 directives, so existing CASP+ holders don't need to immediately recertify.
CAS-004 vs CAS-005 at a Glance
- CAS-004 (CASP+): Retired April 2025. Four domains: Security Architecture, Security Operations, Security Engineering & Cryptography, Governance/Risk/Compliance.
- CAS-005 (SecurityX): Active now. Same four domain areas, updated to include AI threat modeling, post-quantum cryptography considerations, and expanded zero-trust content. Maximum 90 questions, 165-minute time limit, passing score 750/900.
- Cost: $508 USD for a voucher from CompTIA directly. Third-party vouchers (Academic, government discount) bring this to $350–$420.
- Format: Multiple-choice plus performance-based questions (PBQs). The PBQs are scenario simulations—drag-and-drop network diagrams, firewall rule configuration, log analysis. These are where candidates fail.
Who the CompTIA CASP+ Exam Is Actually For
CompTIA recommends 10 years of general IT experience, with five years in security. That's not marketing padding—it's an accurate description of the assumed knowledge baseline. The exam doesn't test whether you can define concepts; it tests whether you can make trade-off decisions in ambiguous enterprise scenarios.
A question might give you a scenario where an acquired subsidiary runs legacy OT systems, the CISO wants full network segmentation within 90 days, budget is constrained, and you need to recommend a compensating control strategy. There's no single right answer—there's a most-defensible answer given the constraints. That kind of reasoning requires actual experience, not just memorized definitions.
Good fit for:
- Security architects and senior engineers who want DoD 8570 compliance without pivoting to a management track
- Penetration testers moving into security program leadership
- Cloud security engineers who need to validate enterprise architecture credentials
- Federal contractors required to meet IAT Level III or IAM Level II/III requirements
Not a good fit for:
- Security+ holders looking for a "next step"—there's a significant experience gap between Security+ and CASP+/SecurityX. CySA+ or PenTest+ is a more logical intermediate step.
- Anyone primarily interested in the management track—CISSP covers similar ground with better industry recognition for director/VP roles.
Exam Domains and What They Actually Test
Domain 1: Governance, Risk, and Compliance (29%)
The largest domain on CAS-005. Covers risk quantification methods (FAIR model, Monte Carlo analysis), compliance frameworks (NIST CSF 2.0, ISO 27001:2022, CMMC 2.0), and contractual security requirements. Expect scenario questions where you're selecting risk treatment strategies for third-party vendors or advising on regulatory conflicts between jurisdictions.
Domain 2: Security Architecture (29%)
Enterprise network design with zero-trust principles, hybrid cloud security models, and software-defined networking. This domain requires you to understand not just what zero-trust means conceptually, but how to implement it across an environment with legacy systems that can't support modern identity controls.
Domain 3: Security Engineering (25%)
Cryptography (key management, PKI, post-quantum considerations), secure software development, and hardware security modules. The PBQs here often involve configuring PKI hierarchies or identifying vulnerabilities in application architectures.
Domain 4: Security Operations (17%)
Incident response at the enterprise level, threat hunting, and forensic procedures. Lighter weight than the other domains but tests practical knowledge of SIEM correlation rules, malware analysis workflow, and chain-of-custody procedures.
Salary and Career Outcomes for CompTIA CASP+ Holders
CASP+/SecurityX sits in the same salary band as CISSP in technical (non-management) roles. Bureau of Labor Statistics data puts information security analysts at a median of $120,360 (2023), but CASP+-relevant roles skew higher:
- Security Architect: $130,000–$175,000 median in the US
- Senior Security Engineer: $120,000–$160,000
- DoD contractor roles (IAT Level III): $115,000–$145,000 depending on clearance level
- Cloud Security Engineer with architecture responsibilities: $140,000–$185,000
The certification's biggest salary leverage point is federal contracting. For cleared roles requiring DoD 8570/8140 compliance at IAT Level III, CASP+/SecurityX is one of only a few qualifying certifications alongside CISSP and CISA. In that market, holding the cert can be the difference between qualifying for a requisition and not—it's less about salary negotiation and more about job eligibility.
For private-sector roles, CASP+ is respected but CISSP has broader recognition at the hiring-manager level. If your goal is a security director or CISO path, CISSP is the better investment. If you want to stay hands-on technical while moving into a senior architect role, CASP+/SecurityX is more appropriate—it doesn't require you to pretend you want to manage people.
How Hard Is the CASP+ Exam?
Pass rates aren't published by CompTIA, but community data from Reddit's r/CompTIA and CertMaster Analytics consistently suggest pass rates in the 50–60% range on first attempt. That's meaningfully harder than Security+ (which most experienced people pass comfortably) and roughly comparable to CISSP difficulty, though the exams test different things.
The performance-based questions are the primary failure point. Candidates who study exclusively from multiple-choice question banks routinely fail the PBQ sections. You need hands-on lab practice—configuring actual firewall rules, analyzing real log files, working through network segmentation scenarios in a lab environment.
Realistic prep timeline for someone with solid security experience: 8–12 weeks studying 10–15 hours per week. Less experienced candidates should budget 16–20 weeks.
Top Courses for CompTIA CASP+ and SecurityX Prep
CompTIA SecurityX (CAS-005) 6 Practice Exams
Six full-length practice exams mapped to CAS-005 domains—the closest thing to actual exam simulation available. Strong choice as a final-stage assessment tool once you've completed core study materials, particularly useful for identifying weak spots in the GRC and Security Architecture domains before exam day.
CompTIA Security+ (SY0-701) Exam Prep 2026
If you're building toward CASP+/SecurityX but have gaps in Security+ fundamentals, closing those gaps first makes CASP+ study significantly less painful. This course covers the SY0-701 objectives thoroughly and is well-rated for people who need to shore up foundational knowledge before tackling advanced material.
CompTIA SecAI+ Fundamentals: AI Cybersecurity Basics (CY0-001)
CAS-005 added substantial AI threat modeling content that CAS-004 didn't have. This course covers CompTIA's AI security framework and is directly relevant to the new SecurityX content around adversarial ML, AI-assisted attack detection, and governance of AI systems in enterprise environments.
CompTIA SecAI+ (CY0-001): Course + EBook + Exams (All in One)
A more comprehensive package for the AI security domain—includes practice exams and an ebook alongside video content. Worth considering if you want to simultaneously prep for SecurityX's AI domains and pursue the SecAI+ cert as a standalone credential.
CompTIA Security+ (SY0-701) 1,000+ Practice Questions 2026
For candidates who need volume repetition on Security+ topics before ascending to CASP+ study. Over 1,000 questions with detailed explanations helps build the pattern recognition that makes CASP+'s scenario-based questions more tractable.
FAQ: CompTIA CASP+
Is CASP+ still valid now that it's been rebranded to SecurityX?
Yes. CAS-004 (CASP+) credentials issued before April 2025 remain valid and are accepted for DoD 8570/8140 requirements. CompTIA renews certifications every three years through their Continuing Education (CE) program—CASP+ holders renew by earning 75 CEUs over three years, same as SecurityX holders. The rebrand doesn't invalidate existing credentials.
CASP+ vs CISSP: which one should I get?
They serve different career paths. CISSP is better for management-track roles (security director, CISO) and has broader name recognition in private-sector hiring. CASP+/SecurityX is better for staying hands-on technical while advancing to senior architect or principal engineer roles, and is essential for federal DoD contracting at IAT Level III. If you have CISSP, CASP+ doesn't add much. If you want to stay technical and work in the federal space, CASP+/SecurityX is the more relevant credential.
Does CASP+ satisfy DoD 8570 requirements?
Yes. Both CAS-004 (CASP+) and CAS-005 (SecurityX) satisfy DoD 8570.01-M / DoD 8140 requirements at IAT Level III and IAM Level II and III. This is one of the certification's strongest value propositions—it's one of the few vendor-neutral options at that compliance level.
How many questions are on the CASP+ / SecurityX exam?
CAS-005 (SecurityX) has a maximum of 90 questions with a 165-minute time limit. The question count varies because performance-based questions (PBQs) count differently than multiple-choice. Some candidates report finishing with 75–80 questions; others hit all 90. The passing score is 750 on a 100–900 scale.
Can I pass CASP+ without hands-on experience?
Technically possible, but the failure rate for candidates without real-world security architecture experience is high. The performance-based questions are specifically designed to identify whether you've actually configured enterprise security controls—not just studied about them. CompTIA's 10-year / 5-year experience recommendation isn't arbitrary. Candidates with 3–4 years of focused security engineering experience have passed, but they're outliers.
How long is CASP+ certification valid?
Three years. Renewal requires 75 continuing education units (CEUs) through CompTIA's CE program, or passing the current version of the exam. Passing a higher-level CompTIA exam (SecurityX renews CASP+; a higher cert would renew SecurityX if one existed in that line) also satisfies the renewal requirement.
Bottom Line
CompTIA CASP+—now SecurityX (CAS-005)—is a legitimate advanced credential for practitioners who want to validate senior-level security architecture skills without moving to a management track. Its strongest use case is federal contracting, where DoD 8570/8140 compliance at IAT Level III creates hard job eligibility requirements that this cert uniquely satisfies.
For private-sector roles, CISSP has better brand recognition at the hiring manager level. But if you're a security architect, senior engineer, or technical lead who wants to stay hands-on and validate skills that go beyond Security+, CASP+/SecurityX is one of the few certifications that actually matches that role level.
If you're studying for it now, make sure your prep materials reference CAS-005 (not just CAS-004). The SecurityX practice exam bundle is the most current simulation available for the updated exam objectives.